Re: Next steps for accessible authentication from Alastair Campbell on 2017-06-15 (public-cognitive-a11y-tf@w3.org from June 2017)

From: Alastair Campbell <acampbell@nomensa.com>
Date: Thu, 15 Jun 2017 16:43:30 +0000
To: lisa.seeman <lisa.seeman@zoho.com>
CC: "public-cognitive-a11y-tf@w3.org" <public-cognitive-a11y-tf@w3.org>, WCAG <w3c-wai-gl@w3.org>
Message-ID: <C37E1398-41F6-4B75-A552-5DC337585BC5@nomensa.com>

Hi Lisa,

Something I haven’t been able to work out, and will be needed by the web auth folks, is: What are the possible solutions?

Lets take an email provider as an example (e.g. Yahoo, Google).

If they cannot use (or rely) on passwords or copying numbers, what could they use for two factor authentication? I.e. both factors.

There needs to be two things, and we can’t rely on:

-          Passwords (recall)

-          Copying from a two-factor token app like Google Authenticator [1]

-          SMS, as standards bodies are saying they are to easy to get around so not considered secure [2].

-          Email resetting, because they are an email provider.

-          Biometrics that a user doesn’t have, possibly due to disability, but more likely because there is no standard technology that people have.

I’m really struggling to see how a website can provide a secure login, at least in the next year or so until the protocols actually gain some traction (they don’t have to be W3C, but they do have to be reasonably available).

At the other end of the scale, what does a smaller website do? Password and have an easy email reset? Is there anything else?

Cheers,

-Alastair



1] https://en.wikipedia.org/wiki/Google_Authenticator

2] https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/


From: "lisa.seeman" <lisa.seeman@zoho.com>


Next steps for accessible authentication

1. We need to set up a review with the web authentication folks and check they are comfortable we are ncreating security problems. Who should set that up? (Options: John, Me, Andrew or Josh as wcag chairs or Janina as APA...)

2. All the comments need to be addressed in github . see: https://github.com/w3c/wcag21/issues/23

also we need to check the survey: https://www.w3.org/2002/09/wbs/35422/COGA_Auth/results(although we can disagree with them and try and convince them)

3. We need an exception for when this is not possible with current legislative requirments

4. Possible exception for coping up to four characters ? DO we see a user problem with this?

All the best

Lisa Seeman

LinkedIn<http://il.linkedin.com/in/lisaseeman/>, Twitter<https://twitter.com/SeemanLisa>

Received on Thursday, 15 June 2017 16:44:17 UTC